Tuesday, January 16, 2018

Fix For Meltdown And Spectre

​Everyone is talking about Meltdown and Spectre,
the two security flaws found in Intel, AMD(less vulnerable) and ARM
CPUs. Using the flaws attackers can read system memory which may have
your passwords and other sensitive information. The worst part of it is
that most systems are affected by it. So you're most likely affected by
these flaws. Let's see how much an Internet surfer like you is affected
by Meltdown.

​First
question, if you're vulnerable or not. Most probably, Yes. The flaws
are in all modern CPUs so you're most likely affected by it.

Secondly, how an attacker can read your system's memory? There are three variants to trigger the vulnerabilities as told by the Google project zero team.
If you're only Internet surfer and think you're secure, you may not be.
After the disclosure of the vulnerabilities by Google security blog,
all software vendors came out and said that they had been working on the
fix since they were informed. Luke Wagner from Mozilla confirmed in a blog post
that the similar techniques can be used from web content (Javascript
code etc.) to read private information of a website visitor.

Several recently-published researcharticles have
demonstrated a new class of timing attacks (Meltdown and Spectre) that
work on modern CPUs. Our internal experiments confirm that it is
possible to use similar techniques from Web content to read private
information between different origins...

Now
there is no question that users like us who mostly surf Internet on
their devices are not secure. All it needs is a visit to a malicious
website. Attackers may also start compromising websites to run the
malicious code on the visitors' device to read sensitive information
such as other sites passwords saved in web browser.

​​Firefox
and Chrome have also confirmed that they're working on the patch.
Chrome will release Meltdown protected version on January 23. So will
you (Chrome users) have to wait that long? Yes, but here is a quick
solution as well.

Enable Site Isolation To Protect Browsers Against Meltdown And Spectre

​Besides
waiting for Chrome to release the Meltdown protected version,
Chrome/Chromium users can also use the solution that is already there.
It's called Site Isolation. In chrome or Chromium, users can enable site
isolation. Enabling Site Isolation, the content of every website is
always rendered in a dedicated process and isolates from other websites.
It makes the content not readable for other websites. In case you visit
a malicious website which runs code on your browser, it won't be able
to see data of other websites.

To enable Site Isolation in Chrome/Chromium, copy the following URL in URL bar -

chrome://flags/#enable-site-per-processNow
you can see the highlighted option is Strict site isolation. Enable it.
Now you're done. Restart your web browser and the site isolation is
working.

Site Isolation For Firefox Users

​I
also tried searching for an alternative solution for Firefox and only
found First-Party Isolation. I'm not sure if it will work against these
vulnerabilities because First-Party isolation separates cookies and make
it not accessible by other websites. I'm not sure if it separates the
entire website content from other websites. Though I've given
instructions below to enable FPI in Firefox. So you can try your luck.

To enable First-Party Isolation, type about:config in the url bar. Search for site isolation and you'll get the following options -

As you can see the value of privacy.firstparty.isolate is set to false. Double click to set it to true.

So
this was the possible way that an attacker can target you and exploit
the flaws. I've also mentioned the possible solutions so that you can at
least apply what you have. Do share this article with your friends on
social media and let them know about this solution.